FYI - I am running a fully-patched Win2000 server (SP4 & all critical updates) and I got hit this morning with this exploit. Someone crashed the IMAP service and dropped a Trojan (rpcmon.exe) on my server.
My HOSTS file was FUBAR and there were 30-or-so TCP ports listening in the 1100-1130 range, presumably for IRC. Fortunately those ports are firewalled to the Internet, but I'm still cleaning up. I modified the IMAP "Hello Message" to remove any reference to "IMail" in a security-through-obscurity act of desperation, but of course the vulnerability still exists. Thanks, Ipswitch! -Dave --------------------------- Re: [IMail Forum] IMAP service stopping... Russ Uhte Tue, 09 Aug 2005 07:56:20 -0700 Bonno Bloksma wrote: Hi, So THAT is the way these trojans are getting into my mailserver... :-(((( Sophos is getting them but I was unable to find the attac vector. That's it. According to the source code, it's only a DoS on Windows 2000 SP2 or greater. On anything prior to that, it actually spawns a reverse shell to the attacker. At that point, you're rooted. If the attacker's smart enough, you'll never be able to clean that machine without a format re-install. Grrrrrrr. So it seesm this bug is only fixed in IMail 8.2 and was never fixed in earlier versions. Might have been nice of Ipswitch to have a BIG warning on their site to tell us about his. I had heard about a buffer overflow in IMail but was unable to verify which parts were vulnerable. I'll be on the phone with them in a few minutes to see what action I need to take. Luckily, I was running SP2 when I got hit, so it was only a DoS for me. I don't have a bunch of people using IMAP, so I just shut the service down completely. Obviously that's not an option for a shop that relies heavily on IMAP. I'm running 8.15, with no plans to upgrade to another version of IMail. I didn't like the way the company was going, and I sure wasn't gonna spend more money for a product I didn't believe in. Let us know what they tell you. People.... there ARE worms loose using this vulnerability to penetrate the mailserver. Sophos reports it as Troj/ServU-Gen. My biggest concern was what if this would have been a POP3 vuln. I would have been toast. I can't take that chance on my server. Therefore, qmail :) Thanks, Russ --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
